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1.0  INTRODUCTION 


The  ability  of  systems  (e.g.,  power  plants,  aircraft,  missiles,  spacecraft,  etc.)  to  successfully  perform  their 
functions  while  degraded  due  to  either  man-made  or  natural  stimuli  is  a  subject  of  current  interest  by  the 
probabilistic  ride  assessment  and  survivability/vulnerability  assessment  communities.  A  common  tool 
used  by  these  communities  to  both  qualify  and  quantify  the  likelihood  of  these  degraded  stales  is  die  fault 
tree.  Following  die  definition  given  by  Bartow  and  Lambert  (Ref.  1),  a  fault  tree  is  a  model  that 
graphically  and  logically  represents  the  various  combinations  of  possible  events  occurring  in  a  system 
that  leads  to  the  top  event  of  interest  Figure  1  illustrates  a  simple  fault  tree  for  the  top  event  of  a 
disabled  automobile  air  bag  restraining  system.  The  air  bag  system  is  disabled  if  either  the  inflation 
mechanism  is  disabled  or  both  collision  sensors  are  disabled.  The  combination  of  events  in  a  fault  tree  is 
represented  by  special  symbols  which  define  logic  gates  where  the  most  familiar  gates  are  the  AND  and 
OR  gates.  The  AND  gate  is  passed  if  all  of  its  inputs  occur  whereas  the  OR  gate  is  passed  if  one  or  more 
of  its  inputs  occur.  The  use  of  fault  trees  to  graphically  define  the  disablement  logic  of  systems  is  widely 
accepted. 


Figure  1.  Example  fault  tree  for  automobile  air  bag  restraining  system. 

Another  less  frequently  used  but  useful  gate  is  the  M-out-of-N  gate.  This  gate  is  passed  if  only  M  or 
more  input  events  occur.  Figure  2  illustrates  the  common  fault  tree  symbol  used  to  denote  M-out-of-N 
gate.  Common  instances  where  an  M-out-of-N  gate  is  used  is  in  voting  systems.  For  example,  to  reduce 
the  number  of  unnecessary  and  expensive  shutdowns  of  a  production  process  due  to  spurious  signals,  a 
system  could  be  designed  to  shut  down  if  two  or  more  sensors  out  of  a  suite  of  three  redundant  sensors 
indicate  a  problem. 


1 


Figure  2.  Common  M-out-of-N  gate  symbol. 

Interestingly,  any  M-out-of-N  gate  can  be  reduced  to  an  equivalent  set  of  AND  and  OR  gates  as 
illustrated  in  Figures  3  and  4  for  a  2-out-of-3  gate.  The  convenience  of  using  an  M-out-of-N  gate  instead 
of  its  equivalent  AND  and  OR  gates  becomes  apparent  when  M  and  N  become  laige. 


Figure  4.  Equivalent  representation  of  2-out-of-3  fault  tree  shown  in  Figure  3. 
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Quantification  of  fault  trees  is  a  fairly  straightforward  process  when  probabilities  are  assigned  to  the 
input  events  and  all  the  input  events  ate  statistically  independent  The  output  of  an  AND  gate  is 
calculated  by  die  multiplicative  law  of  probability  as  defined  in  Equation  1  where  Yi  denotes  n  input 
probabilities.  Likewise,  Equation  2  is  a  similar  formula  for  calculating  the  output  of  an  OR  gate  given  n 
statistically  independent  input  probabilities.  By  applying  Equations  1  and  2  to  the  respective  gates  in  a 
bottom-up  fashion  through  the  fault  tree,  the  probability  of  the  top  event  can  be  quantified. 


i  -  1 


(1) 


n 

i  -  n [/  -  rii  (2> 

i  =  1 

The  use  of  die  M-out-of-N  gates  adds  some  additional  complications  in  quantifying  a  fault  tree.  From 
inspection  of  Figure  4,  it  is  clear  that  the  assumption  of  statistical  independence  for  all  gate  inputs  is 
immediately  negated.  Consequently,  quantifying  an  M-out-of-N  gate  requires  knowledge  of  additional 
laws  of  probability  followed  by  an  exercise  in  the  event-composition  method  of  calculating  the 
probability  of  an  event 

In  practice,  most  present  day  fault  tree  analysts  do  not  quantify  fault  trees  by  hand,  but  rather  use  more 
sophisticated  automated  software  tools  (Refs.  2-4).  Most  of  these  tools  are  based  on  a  cut  set 
methodology  for  quantification.  Basically,  a  cut  set  is  a  set  of  events  whose  occurrence  causes  the  top 
event  to  occur.  For  example,  the  cut  sets  for  the  fault  tree  in  Figure  4  are  (Sensor  No.  1,  Sensor  No.  2}, 
(Sensor  No.  1,  Sensor  No.  3),  and  (Sensor  No.  2,  Sensor  No.  3}.  For  M-out-of-N  gates  where  N 
becomes  large,  the  number  of  cut  sets  becomes  unmanageable  even  with  a  software  tool  Equation  3 
defines  the  number  of  cut  sets  which  must  be  manipulated  for  an  M-out-of-N  gate  which  is  simply  the 
number  of  ways  in  which  M  objects  can  be  selected  out  of  N  without  regard  to  order. 


Number  of  CutSets  = 


N\ 

(. N-M )  \M\ 


(3) 


For  example,  for  N  =  25  and  M  =  10,  there  are  3,268,760  cut  sets  to  be  manipulated,  lb  avoid  this 
problem,  many  automated  tools  use  an  approximation  or  limit  N  to  a  relatively  small  number  (e.g.,  10). 
In  most  cases,  the  approximation  is  only  valid  when  the  input  probabilities  are  very  small  (e.g.,  <  0.01). 
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For  those  situations  where  N  is  too  large  for  cutset  techniques  and  an  exact  probability  is  desired,  die 
following  algorithm  is  offered.  This  algorithm  is  easily  coded  into  software  for  computational 
convenience. 

Before  proceeding  with  describing  the  algorithm,  some  notation  and  definitions  are  provided.  Let 

Ci,  C2, ....  Cj,  represent  N  statistically  independent  events, 

Pi,  P2 . Pn  are  the  probabilities  of  elt  C2 . e^ 

E(J,K)  represents  the  event  that  exactly  J  of  the  K  events  (elt  e^ ....  eK)  occurred, 

P(JJC)  is  the  probability  of  E(JJC), 
n  represents  Boolean  AND  operator, 

U  represents  Boolean  OR  operator,  and 
e  denotes  the  negation  of  event  e. 
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2.0  ALGORITHM 

Suppose  one  has  N  statistically  independent  events  elt  e^ ....  e„  with  known  probabilities  plt  pj, ....  pR. 
Furthermore,  let  E(M  JN)  represent  the  event  that  exactly  M  of  these  N  events  occur,  and  let  P(M,N)  be 

the  probability  ofE(M,N).  Then  find  P(M,N)  for  M  =  0, 1 . N.  Since  each  p  can  be  different,  the 

binomial  law  does  not  apply. 

Let  E(J,K)  be  die  occurrence  of  exactly  J  of  the  first  K  events  e^,  ...,  e^  and  let  P(J,  K)  be  the 

probability  of  E(J,K).  Now  it  is  shown  that  the  probabilities  P(J,K  +  1),  J  =  0, 1 . K  + 1  can  be 

computed  from  the  probabilities  F(J,K),  J  =  0, 1, ....  K.  Consider  E(J,  K  + 1),  the  occurrence  of  exactly  J 

of  the  first  K+  1  events  . e**  j.  Suppose  J  =  0.  None  of  the  first  K  +  1  events  can  occur  only  if 

none  of  the  first  K  events  occur,  and  event  ek  +  x  also  does  not  occur.  This  statement  is  written 
symbolically  in  Equation  4. 

EiPJC  + 1)  =  E(0JO  neK+1  (4) 

Now  compute  the  probability  of  the  right  side  of  Equation  4  to  get  an  expression  for  P(0,K  + 1),  the 
probability  of  E(0,K  +  1).  The  probability  of  E(0,K)  is  P(0,K)  and  the  probability  of  eK  +  x  is  1  -  p^  + 1- 
Since  E(J,K)  depends  only  on  events  ej  through  ek  which  are  statistically  independent  of  ek  + !  by 
definition,  E(JJK)  andek+1are  independent  for  all  values  of  J.  Therefore,  the  simplified  multiplicative 
law  of  probability  can  be  used  for  tire  occurrence  of  two  independent  events  as  shown  in  Equation  S. 

P(0JC  +  1)  =  P(0JQ[I-pK  +  1 ]  (5) 

The  special  case  of  J  =  K+  1  is  treated  in  a  similar  fashion.  All  of  the  first  K  +  1  events  can  occur  only  if 
all  of  the  first  K  events  occur,  and  event  ek+  j  also  occurs.  Equation  6  symbolizes  this  relation. 

E(K  +  1JK  +  1)  =  E(KJC)neK+1  (6) 

The  corresponding  probability  of  E(K  +  1,K  +  1)  is  shown  in  Equation  7. 

P(K+  1JC+ 1)  =  P(KJC)Pk  +  1  (7) 

Now  consider  the  cases  where  0  <  J  <  K  +  1.  For  these  cases,  J  of  the  first  K  +  1  events  can  occur  in  two 
ways.  Either  J  of  the  first  K  events  occur,  and  event  ek  +  x  does  not  occur,  or  J  - 1  of  the  first  K  events 
occur,  and  event  ek  +  x  does  occur.  This  is  expressed  symbolically  in  Equation  8. 
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(8) 


E(JJC  +  1 )  =  (E(JJC)neK+1)  u  (E(J-lJQneK  +  1) 

Again  invoking  the  independence  of  ek  + 1  from  E(JJC)  for  all  values  of  J,  the  probability  of 
(E(JjQnTK+t)  isP(J,KXl -Pk+i).  and  the  probability  of  (EV-ijQne^j)  isP(J-  1,KXpk+i)-  Since 
the  two  events  (£(7J0n7Jr+;)  and  < E(/-JJO  n  eg4. ,)  are  disjoint,  the  probability  of  either  of  them 
occurring  is  equal  to  the  sum  of  their  individual  probabilities  as  shown  in  Equation  9. 

PUJC+l)  =  P(JJ0U-PK  +  1\  +P(J-1JQ(Pk+1)  for,  (9) 

(0<J<K  + 1) 

If  P(J,K),  J  =  0, 1, ....  K,  is  known  for  some  value  of  K  =  K\  repeated  use  of  Equations  5, 7  and  9  yields 
P(KX-),  J  =  0, 1, ....  K  for  all  values  of  K  greater  than  K*  up  to  K  =  N.  Since  the  values  of  P(J,K)  are 
known  for  the  trivial  case  of  K  =  1  (P(0,1)  =  1  -  Pi  and  P(l,l)  =  Pi),  the  probabilities  P(MJ4), 

M  =  0, 1, ....  N,  can  be  computed  in  N-l  steps.  Each  stq)  requires  one  application  of  both  Equations  5 
and  7,  and  K  applications  of  Equation  9  where  K  is  the  step  index.  Therefore,  the  completion  of  P(M,N) 
for  M  =  0, 1, ....  N  requires  N-l  applications  of  both  Equations  5  and  7  and  N(N  - 1)  /2  applications  of 
Equation  9.  The  individual  probabilities  P(M.N)  can  then  be  summed  to  get  the  probability  of  M  or  more 
events  out  of  a  possible  N  events. 
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3.0  EXAMPLE 


Assume  there  are  five  statistically  independent  events,  elt  Cj,  c^,  e4,  e5>  with  known  probabilities  pj  = 
020,  P2  =  0.50,  p3  =  0.30,  p4  =  0.90,  p$  =  0.70.  Now  suppose  one  wants  to  calculate  the  probability  of 
three  or  more  of  those  events  occurring.  Using  Equations  5, 7  and  9  in  a  recursive  manner  allows  the 
answer  to  be  computed  as  demonstrated  in  the  following  calculations. 


P(0,l)=l-pj  =  1-0.20  =  0.80 
p(l.l)  =  Pi  =  0.20 


P(02)  =  P(0,1)[1  -  p2l  =  0.80[1  -  0.50]  =  0.40 

P(12)  =  P(l,l)[l  -  P2]  +  PC0,l)p2  =  0.20[1  -  0J0]  +  0.80(0.50)  =  0.50 

P(22)  =  P(1.1)P2  =  0.20(0.50)  =  0.10 

P(0,3)  =  P(02)(  1-  P3]  =  O.40[l  -  0.30]  =  0.28 
P(l,3)  =  P(12)[l  -  P3]  +  P(02)p3  =  50(1  -  0.30]  +  0.40(0.30)  =  0.47 

P(2,3)  =  P(22)(l  -  P3]  +  P(U)P3  =  0.10(1  -  0.30]  +  0.50(0.30)  =  0.22 
P(3,3)  =  P(22)P3  =  0. 10(0.30)  =  0.030 

P(0,4)  =  P(0,3)[l  -  p4]  =  0.28(1  -  0.90]  =  0.028 
P(l,4)  =  P(l,3)[l  -  p^  +  P(0,3)P4  =  0.47(1  -  0.90]  +  028(0.90)  =  0299 
P(2,4)  =  P(2,3)[l  -  P4]  +  P(U)p4  =  0.22(1  -  0.90]  +  0.47(0.90)  =  0.445 
P(3,4)  =  P(3,3)[l  -  P4J  +  P(2,3)p4  =  0.030(1  -  0.90]  +  022(0.90)  =  0.201 
P(4,4)  =  P(3,3)p4  *  0.030(0.90)  =  0.027 

P(0,5)  =  P(0,4)[l  -  p5]  =  0.028(1  -  0.70]  =  0.0084 
P(l,5)  =  P(l,4)(l  -  p5]  +  P(0,4)p5  =  0.299(1  -  0.70]  +  0.028(0.70)  =  0.1093 
P(2,5)  =  P(2,4)[l  -  p5]  +  P(l,4)p5  =  0.445(1  -  0.70]  +  0299(0.70)  =  0.3428 
P(3J5)  =  P(3,4)[l  -  p5]  +  P(2,4)p5  =  0.201(1  -  0.70]  +  0.445(0.70)  =  0.3718* 

P(4J5)  =  P(4,4)[l  -  p5]  +  P(3,4)p5  =  0.027(1  -  0.70]  +  0201(0.70)  =  0.1488* 

P(5,5)  =  P(4,4)p5  =  0  027(0.70)  =  0.019 

Summing  all  the  probabilities  which  represent  the  occurrence  of  three  or  more  events  (those  calculations 
with  an  asterisk)  gives  the  probability  of  three  or  more  events,  0.5396.  The  reader  is  encouraged  to 
check  the  result 
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4.0  SUMMARY  AND  CONCLUSIONS 


This  algorithm  has  been  implemented  into  a  software.  Performance  of  the  software  is  on  the  order  of  N2 
in  time  complexity  and  2N  in  space  complexity. 

The  order  of  N2  in  time  complexity  can  be  verified  by  observing  that  for  any  combination  of  M  and  N, 

the  algorithm  must  compute  the  intermediate  probabilities  P(J,K)  for  all  values  of  K,  i.e.,  1,2 . N. 

Furthermore,  for  each  K,  P(JJC)  must  be  calculated  on  average  of 

do) 

i-i 

times  to  account  for  all  J.  Noting  that 

*£  <«>/)  (11) 

i-j 

is  upper  bounded  by  N,  and  neglecting  the  final  linear  summation  of  foe  appropriate  intermediate 

probabilities,  the  computational  complexity  is  N  X  N  =  N2. 

% 

The  space  complexity  of  2N  can  be  achieved  by  recognizing  that  the  final  intermediate  probabilities 
P(J.N),  J  =  0, 1, ....  N  depends  only  on  the  proceeding  intermediate  probabilities  P(J,N  - 1),  J  =  0, 1 .... 

N  - 1.  Consequently,  only  two  sets  of  intermediate  probabilities  must  be  kept  on  hand  at  any  one  time. 
Since  the  maximum  number  of  intermediate  probabilities  is  N  + 1  (0, 1, ...,  N),  foe  total  space 
requirement  is  N  +  (N  + 1)  which  is  approximately  2N. 

A  simple  recursive  algorithm  is  presented  to  compute  the  exact  probability  of  occurrence  of  M  or  more 
events  out  of  a  possible  N  events.  The  algorithm  begins  by  recursively  commuting  the  probability  of 
occurrence  of  exactly  M  events  out  of  a  possible  N  events.  These  intermediate  results  may  be  quickly 
summed  to  obtain  the  industry  standard  definition  of  M  or  more  events  out  of  a  possible  N  events. 
Performance  of  the  algorithm  is  on  fire  order  of  N2  in  time  and  2N  in  space.  This  algorithm  does  not  use 
cut  set  methodology  and  consequently  is  not  limited  by  the  combinatorial  explosion  problem  associated 
with  cut  set  manipulation  of  the  M-out-of-N  gate. 

This  algorithm  is  extremely  useful  when  foe  exact  probability  of  M-out-of-N  is  desired,  especially  in 
cases  where  N  exceeds  limitations  of  cut  set  manipulation  techniques  and  when  the  M-out-of-N  event  is 
statistically  independent  of  other  events  in  foe  system  under  consideration. 
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